2_24590_Infoblox--Defeating-APT-Malware.pdf

7/27/2019 2_24590_Infoblox--Defeating-APT-Malware.pdf

1/16

WHITEPAPER

Defeating Advanced Persistent

Threat Malware


2/16

WHITEPAPER

Table of Contents

1. Malware is Everywhere 2

1.1. Attacks Can Come From Anywhere 2

1.2. Malware Statistics are Startling 3

1.3. All Malware Is Not Alike 4

1.4. APT Malware Breaches Are Expensive 5

2. APT Malware Requires a New Approach 7

2.1. APT Malware Exploits the DNS Protocol 7

2.2. DNS Security Gap 7

2.3. Solution to APT Malware: A DNS Firewall 8

3. Design Considerations or a DNS Firewall 9

3.1. Security (including Malware) Related Standards Worldwide 9

3.2. Malware-related Standards in the United States 9

3.3. Multi-tier DNS Security 10

4. Combatting APT Malware 11

4.1. An Approach Worth Investigating Inoblox DNS Firewall 11

4.2. How the Solution Works 12

4.3. Meeting Malware-related Security Standards 13

4.4. Meeting Multi-tier Security Requirements 13

4.5. Why the Solution is Unique 14

4.6. Learning More 14

1


3/16

Defeating Advanced Persistent Threat Malware

2

1. Malware is Everywhere

1.1. Attacks Can Come From Anywhere

Press headlines are lled by reports o malware attacks. Malware attacks, once

the reserve o amateurs largely or amusement, are now launched by a number o

entities. Today, a malware attack can literally come rom anywhere in the world and

can impact even the largest organization.

Government Cyberwar teams: Governments are alleged to be attacking other

governments entities as well as private companies1.

Hacktivists: Hacker activists (called hacktivists) are utilizing malware attacks as

a orm o protest against government, commercial, and even private web sites2.

Governmentcensororganizations:Certaingovernmentsareallegedlyusing

malware attacks as a orm o censorship. For example, it is suspected that

websites are selectively blocked to prevent social media rom being used to

organize protests and to coalesce public opinion against the government3.

Criminal Elements: Malware attacks upon banks and upon individuals are

executed by criminal elements worldwide4.

RandomIndividuals:Withtheavailabilityoflowcostorevenfreerollyour

own malware kits on the Web5, almost anyone can plan and execute a

malware attack.

Malware is protable: malware is no longer just a un game or script kiddies

or a eld o study or researchers. Today, it is a serious business and source o

revenue or malicious actors and criminals all over the world. Malware, together

with other cyber tools and techniques, provides a low cost, reusable method oconducting highly lucrative orms o cybercrime. 6

Organisation or Economic Co-operation and Development (OECD)

1 Winter, Michael, USA Today, NBC: Iran repor tedly behind cyber attacks on U.S. banks, 09/20/12.

2 Dunn, John E., Computerworld, Hacktivists DDoS UK, US and Swedish Government websites, 9/7/12.

3 Wikipedia, http://en.wikipedia.org/wiki/Internet_censorship_in_the_People%27s_Republic_o_China.

4 Wikipedia, http://en.wikipedia.org/wiki/Botnet

5 Wikipedia, http://en.wikipedia.org/wiki/Webattacker

6 OECD, OECD Guidelines or the Security o Inormation Systems and Networks,

http://www.oecd.org/sti/interneteconomy/15582260.pd, 2002.


4/16

WHITEPAPER

3

1.2. Malware Statistics are Startling

Statistics about malware attacks are truly startling due to the number o attacks, the

number o successul attacks, and the time that it takes to discover malware.

The average volume o new malware threats is approximately 7.8 million per quarter

or the rst three quarters o 2012 alone, a rate o 1 new threat per second! During thesame period, malware on mobile devices grew more than 10 old, according to McAee7.

Further, malware attacks are extremely eective. A 2012 Verizon security study8

illustrates that in 2011 alone there were:

Around855successfulbreachesofcorporateorgovernmententitiesthat

compromised around 174 million records.

O the successul breaches, 69% utilized Malware.

7 McAee, McAee Threats Report: Third Quarter 2012,

(http://www.mcaee.com/us/about/news/2012/q3/20120910-01.aspx?cid=110907)

8 Verizon, Verizon Security Study 2012,

(http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pd, 2012)

Source: McAee, 2012.


5/16


4

1.3. All Malware Is Not Alike

There are numerous amilies, classes, subclasses, and variants o malware.

Many sources dier as to the categorization. Also, many types o malware exhibit

characteristicsofmultiplefamiliesandclassesandsocanbedescribedashybrid.

To provide a reerence point or this White Paper, Inoblox has created a classication

system or Malware.

Source: McAee, 2012.

Source: Inoblox, 2013


6/16

WHITEPAPER

5

Inoblox considers there to be three major amilies o malware as shown in the

diagram Viruses, Worms, and Trojan Horses. O the Trojan Horses:

One class called IP-exploiting typically uses Internet Protocol (IP) or

communications.

Another class called DNS-exploiting typically exploits Domain Name

Services (DNS) or communications between the malware-inected device and

themastercontrollerofanetworkofinfecteddevices(calledabotnet).

DNS-exploiting Malware typically is designed to remain undetected on servers and

on personal devices over a long time period. Based on commands received rom the

mastercontrollerviabackdoormalware,infecteddeviceswilleithercapturedata(via

spyware malware) or execute actions such as send SPAM emails or participate in a

Distributed Denial o Service (DDoS) attack.

As this type o malware is very sophisticated and is designed to persist over time, a

commonly-used description or this category is Advanced Persistent Threat or APT

Malware. This White Paper will use the term APT Malware or consistency across a

variety o inormation sources.

1.4. APT Malware Breaches Are Expensive

A study by the Ponemon Breach Institute provides some estimated costs or

malware9. In terms o total Malware cost per company, gures are:

A 2011 median cost o $5.9 million dollars annually / average o $8.4 million

annually across all companies and industries studied.

While the study says that the gures may not be wholly trustworthy due to low

sample size, the 2011 cost by industry is estimated to range rom an average oalmost $20 million / year or Deense down to $3 million / year or Retail.

Source: Ponemon Institute, 2012.


7/16


6

APT Malware (categorized as Malicious code in the diagram below) is the most

expensive kind o malware, accounting or approximately 23-26% o the total annual cost.

One actor in the expense o Malware is the length o time that it remains undetected,

particularly by internal stas. The Verizon study10 calculated that:

54% o malware took months to discover

29% o malware took weeks to discover

92% o malware is detected by an external par ty.

Netting out the gures above, it appears that most companies never detect

malware at all much less in a timely manner.

9 Ponemon Institute, Second Annual Cost o Cyber Crime Study,

(http://www.hpenterprisesecurity.com/collateral/report/2011_Cost_o_Cyber_Crime_Study_August.pd),

August 2011.

10 Verizon, Verizon Securit y Study 2012,

(http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pd, 2012).

Ponemon Institute, 2012


8/16

WHITEPAPER

2. APT Malware Requires a New Approach

2.1. APT Malware Exploits the DNS Protocol

For the Domain Name System (DNS) protocol to work properly, DNS communications

must fow reely among all devices and applications. Further, since DNS is integral

to the process o establishing and maintaining communications with a web server,

applications such as chat, and mobile device applications, any delays in processing

or potential decreases in availability could easily ripple into a much larger problem. As

a result, DNS commands are typically not intercepted or inspected by existing security

approaches.

By exploiting DNS, malware developers can sidestep existing security approaches:

For example, since network rewalls typically blacklist at the IP address level,

malware master controllers reportedly change their IP addresses hourly either

by rotation on a list or by using techniques such as Fast fux to hide behind a

variety o ever-changing proxy servers11.

Also, since web lter approaches typically work on the exact URL only, by

changing URLs fexibly within a domain, malware circumvents web lter

approaches.

DNS provides a powerul means or locating the botnet master controller and or

transmitting instructions to inected devices. For example, DNS is used to locate the

botnet master controller, even when it changes IP addresses and/or URLs requently.

Also, DNS is used to transmit instructions to the inected devices, via techniques

typically called DNS tunneling or DNS hijacking12.

2.2. DNS Security Gap

Many organizations believe in the concept o layered security. Wikipedia denes

layered security as For every category o threat, there should be an eective control

deployed to mitigate the threat.13 (Security industry analysts also use the term

Deense in Depth to describe this concept. 14) In summary, each network layer

typically has unique vulnerabilities that attackers strive to leverage. Further, dierent

attacks can be directed at the same layer. So, on average, each network layer should

have its own security mechanism that counters its unique vulnerabilities and protects

against all relevant attacks.

11Wikipedia, http://en.wikipedia.org/wiki/Botnet

12 Wikipedia, http://en.wikipedia.org/wiki/DNS_hijacking

13 Wikipedia, http://en.wikipedia.org/wiki/Layered_security

14 Wikipedia, http://en.wikipedia.org/wiki/Deense_in_depth_(computing)

7


9/16


For example, the diagram to the right shows a variety o malware threats and the

corresponding ways in which they are neutralized. For example, many Viruses and

Worms are eectively addressed with antivirus scanning. Also, malware DDoS attacks

can be neutralized within the DNS and/or overall networking architecture. Device

monitoring packages can intercept questionable le downloads.

However, APT malware that exploits DNS or communications cannot be eectively

addressed by existing approaches:

While this capability does not rely on DNS, APT malware deeats signature-

based approaches built into anti-virus packages by techniques such as

repacking15.

Web Filters typically act at the URL level since they are blocking specic content

objects

Firewalls typically act at the IP level since they are blocking specic servers

Data Loss Prevention approaches typically would require numerous, overly

intrusivesensorpointsinthenetworktoenablesniffingofallDNStraffic.

As existing approaches, while highly useul against certain types o malware, are noteective against APT Malware, a new deense must be designed and deployed.

15 Caballero, Juan, et.al., Measuring Pay-per-Install: The Commoditization o Malware Distribution, USENIX

White Paper,

http://static.usenix.org/events/sec11/tech/ull_papers/Caballero.pd, August, 2011.

Hardening Perimeter Monitoring IP-based

Hardened

Appliances, SecureInterconnections,

Consistent Cover-

age Core to Edge

Traditional - Fire-

walls, VPNs,Virus/Trojan

Scanning, DDoS

protection, etc.

Computer

Monitoring Tools -Examine each

command, func-

tion, and setting

Reputation Data

Feeds / WebFilters

MalwareType

Counter

Measures

Not effective sinceMalware leverages

comprehensive,

working infrastructure

Some Malware getsbehind firewall and is

designed to morph

IP, behavior, and file

characteristics

Some Malwareleverages legitimate

commands unde-

tected by computer

monitoring tools

Web Filters and DataFeeds help avoid

Droppers but can not

detect DNS-

exploiting Malware

Virus and Worms

Trojan Horses -IP-based (Adware)

Trojan Horses -

IP-based (Dialers)

Trojan Horses -

IP-based (Droppers)

APT Malware -

DNS-exploiting(Trojan Spywar

& Backdoors)

DNS Security

Defense Gap

Threats

Threats

Threats

Threats

Threats

Layered Security To Combat Malware

8


10/16

WHITEPAPER

2.3. Solution to APT Malware: A DNS Firewall

Since the core communications protocol or APT Malware is DNS, an approach baked

into DNS is worthy o exploration. In act, the concept o an embedded malware

security mechanism or DNS called a DNS Firewall was proposed in a recent

Security Week article16.

Unlike a traditional network rewall that protects rom the physical layer going up to

and optionally including the application layer, a DNS Firewall must absolutely include

protection at the application layer as the quality o the actual DNS data must be

protected. To put this need in terms used by network rewalls, there is a strong need

or an Application-level DNS Firewall.

DNS rewalls likely would have prevented the success o more than 80

percent o these attacks.

Security Week

3. Design Considerations for a DNS Firewall

3.1. Security (including Malware) Related Standards Worldwide

The Organisation or Economic Co-operation and Development (OECD) is a group

o 34 countries (including the United Kingdom, Israel, Japan, Korea, and U.S.) that

together strive or economic growth. The 2002 OECD Guidelines or the Security

o Inormation Systems and Networks provide a list o broad inormation security

principles all o which are relevant and applicable to the ght against malware. Thenine principles are Awareness, Responsibility, Response, Ethics, Democracy, Risk

assessment, Security design and implementation, Security management, and

Reassessment17.

3.2. Malware-related Standards in the United States

The National Institute o Standards and Technology (NIST)

is part o the U.S. Dept. o Commerce. A NIST publication,

Guide to Malware Incident Prevention and Handling,

provides specic and targeted recommendations or

malware. Recommendations are summarized below18.

Organizations should develop and implement an

approach to malware incident prevention.

Organizations should ensure that their policies

support the prevention o malware incidents.

Organizations should incorporate malware incident

prevention and handling into their awareness programs.

16 Rasmussen, Rod, Security Week blog, Why DNS Firewalls Should Become the Next Hot Thing in Enterprise Security,

(http://www.securityweek.com/why-dns-rewalls-should-become-next-hot-thing-enterprise-security, October 2011).

9


11/16


Organizations should have vulnerability mitigation capabilities to help prevent

malware incidents.

Organizations should have threat mitigation capabilities to assist in containing

malware incidents.

Organizations should have a robust incident response process capability that

addresses malware incident handling.

3.3. Multi-tier DNS Security

A deense against APT Malware cannot be standalone since it must also resist

attacks rom hackers and rom other types o malware. To illustrate all the deenses

needed within the DNS layer, they are illustrated as tiers o attacks and corresponding

deenses.

DNS Appliance

Application-level

DNS Firewall

Stateful DNS Firewall

Network Side Enterprise Side

DNSSEC, Port Randomization,

and more

Admin Authentication

Hardware/OS Hardening

Malware Infection

DDoS

Man in the Middle

Device Attack

Botnet Commandand Control

DDoS frominternal Zombies

Man in the Middlefrom BYOD

Device Attack

Physical Attack Physical Attack

DNS Security must resist both external and internal attacks

10

17 OECD, OECD Guidelines or the Security o Inormation Systems and Networks,

http://www.oecd.org/sti/interneteconomy/15582260.pd, 2002.

18 National Institute o Standards and Technology, U.S. Dept. o Commerce, Guide to Malware Incident Prevention and

Handling, http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pd, November 2005.


12/16

WHITEPAPER

A DNS Security approach must be built on top o a robust security oundation.

Starting at the bottom o the gure to the let:

A DNS appliance must be able to resist both internal and external physical

attacks via hardening o the hardware and the operating system.

Device attacks need to be repelled via advanced administrator authentication

techniques (i.e. TACACS).

Network attacks arising rom hostile devices in the network and/or compromised

Bring Your Own Devices (BYODs) can be overcome via a variety o techniques

such as DNSSEC.

DDoS attacks, including attempts to overload sessions, can be averted via

DDoS techniques and the use o state to clariy which session creation requests

aregenuine.Thisissomewhatequivalenttothefunctionofastatefulnetwork

rewall and so is described as a Stateul DNS Firewall tier o deense.

Moving to the top layer, Malware inection must be proactively prevented and

Botnet command and control instructions, most likely rom inected BYOD

devices, must be disrupted. As these commands can be issued by applications,the unctionality resembles to the unction o a network application rewall. So,

the unctionality to combat APT Malware would be that o an Application-level

DNS Firewall tier o deense.

4. Combatting APT Malware

4.1. An Approach Worth Investigating Inoblox DNS Firewall

Inoblox created a DNS security solution called the Inoblox DNS Firewall based

on its market-leading amily o products Trinzic DDITM. Inoblox believes that this

approach is the industrys rst true DNS security solution.

The Inoblox DNS Firewall solution is composed o:

Product License: The unctionality is pre-installed with the latest release o

Inobloxs Trinzic DDI operating system and only needs a key or activation.

Malware Data Feed rom Inoblox (optional annual subscription): The product

license will accept multiple data eeds. The customer has the option o

subscribing to Inobloxs proprietary malware-specic reputational data eed.

Inoblox GridTM: The solution requires an Inoblox Grid be installed as it leverages

Grid unctions such as automatic le updates, security, and more.

11


13/16


4.2. How the Solution Works

As shown in the gure to the right, the solution works as ollows:

1 When the Inoblox experts detect a new malware, the Inoblox Malware Data

Feed immediately sends an update to our customers.

2 Either directly or by leveraging the Inoblox GridTM, the updated data is sent to all

Inoblox Recursive DNS Servers in near real time.

3 I an end user clicks on a malicious link or attempts to go to a known malware

website, the attempt will be blocked at the DNS level.

4 The session can be redirected to a landing page / walled garden site dened by

the company administrator.

5 For clients that are inected already, very typically user-owned devices, the

inected client will attempt to use DNS commands to communicate with the

botnet master controller. The Inoblox DNS Firewall will not execute these

commands, eectively crippling the botnet.

6 All activities are written to industry-standard Syslog ormat so that the IT team

can either investigate the source o the malware links or cleanse the inectedclient. Data is also ed to the Trinzic Reporting product or analysis and reporting.

Infoblox DNS Firewall/ Recursive DNS Server

Infoblox DNS Firewall/ Recursive DNS Server

Infoblox DNS Firewall

/ Recursive DNS Server

Infected

Client

Write to Syslog andsend to Trinzic Reportin

Landing Page/Walled Garden

Redirect

Malicious link to

www.badsite.com

Contact

Botnet

Block/DisallowSession

ApplyPolicy

DynamicPolicy Update

Dynamic Grid-WidePolicy Distribution

alware Data Feedfrom Infoblox

1

2

3

6

5

4

Operation o the Inoblox DNS Firewall

12


14/16

WHITEPAPER

4.3. Meeting Malware-related Security Standards

In addition to the OECD standards, the Inoblox solution ully meets the NIST

standards as summarized in the table below:

4.4. Meeting Multi-tier Security Requirements

As the Inoblox DNS Firewall leverages the security architecture o both the Inoblox

GridTM and Inoblox appliances, the multi-tier security requirements detailed in the

previous section are all provided. Most importantly, since the actual DNS commands

issued by all applications and devices are monitored, the product provides the

protection o an Application-level DNS Firewall.

NIST Standard Infoblox DNS Firewall

Organizations should develop and

implement an approach to malware incident

prevention.

Organizations should ensure that their

policies support the prevention o malware

incidents.

Organizations should incorporate malware

incident prevention and handling into their

awareness programs.

Organizations should have vulnerability

mitigation capabilities to help prevent

malware incidents.

Organizations should have threat mitigation

capabilities to assist in containing malware

incidents.

Organizations should have a robust incident

response process capability that addresses

malware incident handling.

Provides an end to end approach that

proactively prevents inection as well as

execution o Malware, thereore minimizing

or eliminating malware incidents.

Malware policies are automatically updated

via the Inoblox Malware Data Feed.

Policies can also be set or modied by the

security administrator.

The Landing Page / Walled Garden

unctionality is tailor-made or incorporation

into awareness programs.

Vulnerability mitigation is built-in via both

redirection o inected clients and disruption

o botnet communications.

Since botnet communications and sessions

are disrupted, Malware is contained.

All malware activities are logged. With

the use o the Inoblox Reporting Server,

malware reports can also be exported into

IT task lists or malware incident handling

such as cleanup o inected devices.

13


15/16


4.5. Why the Solution is Unique

The Inoblox DNS Firewall provides dierentiating capabilities to Security and

Networking organizations in terms o being Proactive, Timely, and Tunable.

4.5.1. Proactive

The Inoblox DNS Firewall stops clients rom becoming inected by going to a malware

websiteorclickingonamaliciouslink.Further,hijackedDNSCommandandControl

requests are not executed to prevent the botnet rom operating. Lastly, all malware

activities are logged and reported to pinpoint inected clients and attacks.

4.5.2. Timely

The Inoblox DNS Firewall leverages comprehensive, accurate, and current malware

data to detect and resolve malware weeks to months aster than in-house eorts.

The robust data provided by Inoblox is comprehensive in terms o including all

known attacks and very accurate in terms o a very low alse positive rate. Automated

distribution maximizes response timeliness rom Inoblox throughout the customers

Grid in near real-time.

4.5.3. Tunable

The solution is tunable to ensure that all threats can be countered in the customers

unique environment. The solution allows the denition o hierarchical DNS,

NXDOMAIN Redirection, and Malware policies that maximize fexibility. The

administrator has ull control over which policies are enorced by each recursive DNS

server. The Inoblox Malware Data Feed includes several options that enable the

precise matching o data, including geography, to the threats encountered. In addition,

the Inoblox Data Feed can also be combined with multiple internal and external

reputational data eeds.

4.6. Learning More

To learn more, please point your browser to www.inoblox.com/dnsrewall or contact

[email protected].

14


16/16

CORPORATE HEADQUARTERS:

+1.408.625.4200

+1.866.463.6256

(toll-free, U.S. and Canada)

[email protected]

www.infoblox.com

EMEA HEADQUARTERS:

+32 (0)22 590 430

[email protected]

APAC HEADQUARTERS:

+(852) 3793-3428

[email protected]

2_24590_Infoblox--Defeating-APT-Malware.pdf

Documents

Transcript of 2_24590_Infoblox--Defeating-APT-Malware.pdf